signalapp / Signal-Desktop

A private messenger for Windows, macOS, and Linux.
https://signal.org/download
GNU Affero General Public License v3.0
14.66k stars 2.67k forks source link

Major Bug: Anonymity and Privacy is destroyed by Link Previews. Easily fixed by allowing to turn off. #4689

Closed cfoster closed 3 years ago

cfoster commented 3 years ago

This issue replicates #3854. (Don't stop reading). I am specifically and purposefully raising this here, again, due to the seriousness of the issue in terms of destruction of anonymity and privacy of Signal Users.

Issue #3854 is marked as a feature request. This is a major bug and needs fixing - and it's very simple to fix.


Bug Description

Link Previews destroy user privacy and anonymity by alerting potential bad actor observer / external party as to:

Why is this?

To show a Link Preview, the Client must:

1. Perform DNS Resolution on the domain in question, raw.

If you are browsing the Internet via Tor for instance and are on a particular Web Address, you have alerted your DNS Provider exactly which Website you're browsing, it may be a regular normal website on the regular web or an onion - Neither of which had previously had their names resolved by your DNS Provider.

The DNS Provider previously didn't know that you were even using Tor. They now not only know you're using Tor (if you're trying to resolve an onion domain) and they also know exactly what website you're looking at. Even if the Link Preview is not shown, because the DNS Resolution wasn't successful, the damage has already been done and information already leaked.

The same is true as far as I'm aware if you're sharing an Intranet domain, or something else that is only private on an internal network, that may not have otherwise have been known to your DNS Provider, is now known to your DNS Provider.

If I am a bad actor, I could even send a message to someone with a Link Preview and straight away find out their IP and all of their device's IPs too - and they don't even have a choice in the matter.

2. Who is Communicating with who and what they're sharing to each other

When the remote client receives your message with a http location (i.e. Your friend), from what I can see, their client immediately (raw) also then performs DNS Resolution, which alerts their DNS Provider too.

External parties now have a great idea of exactly who is talking to who, and what they're sending, because one client at one IP submitted a request, followed by 0.25 seconds later, another client else-where is performing the exact same request.

Let's say we're dealing with a Social Media Platform, like Facebook or Twitter. They will be able to build a picture pretty instantly as to who is talking to who, what they're sharing and when they're sharing it.

The client is going off, performing DNS Resolution, making HTTP Requests, negotiating HTTPS if need be, parsing, getting additional images from Metadata, this is a multi-http request process.

If the sender of the message is logged in to a site, and the URL contains information that only that user may have, when the remote friend receives it and performs the request, straight away we know for sure exactly which IP is talking to who and what they're sharing.

On Phone Clients, such as iPhone - are you using a Common HTTP library to do this? if so, Apple knows what your dealing with too.

If you have Multiple Connected Devices, e.g. Phone and Laptop, whatever Link was shared on one, is now resolved by the other as well, so now external parties also know all about all of your other devices too.

Please do NOT Mark this as a feature request.

All you have to do, is give a Boolean Option to turn this stuff off.

KeyBase has the ability to Turn Off Link Previews. You have recently introduced Link Previews without giving the ability to turn them off.

Steps to Reproduce

  1. Send a Link Preview to a friend, not only your client, but your friend's client attempt's to resolve the link preview. Raw.

Actual Result:

Actual result is a loss of privacy and anonymity.

Expected Result:

Correct result is an Option (On/Off switch) to Disable Link Previews.

Platform Info

Signal Version:

From what I can see, any Signal Version.

Operating System:

From what I can see, any Operating System.

cfoster commented 3 years ago

This issue is so bad. That immediately after posting this and trying to copy it and show my friend it, my friend's client would then go off and resolve it, which makes it obvious that not only are we talking to each other, but say for instance the IP that I posted this ticket from was say for instance over a Proxy of some kind ..... my own machine, raw, would then resolve this - as well as my friends.

This is pretty horrendous.

scottnonnenberg-signal commented 3 years ago

When the remote client receives your message with a http location (i.e. Your friend), from what I can see, their client immediately (raw) also then performs DNS Resolution, which alerts their DNS Provider too.

Link previews are packaged up with all data necessary to display them on the sender device. The recipient doesn't need to make any requests.

You have recently introduced Link Previews without giving the ability to turn them off.

Your phone, in its Signal settings, in the Privacy subsection, has the ability to turn off link previews. That will propagate to your linked devices, which will also stop offering to create link previews.

This is pretty horrendous.

The core remaining issue appears to be that you'd like Signal to use your Tor proxy when generating Link Previews? Is that it? Is there something preventing you from doing, that, an error you can file as a bug?

jasikpark commented 3 years ago

Can there be documentation added to the settings page of the Desktop app that describes that the link preview needs to be changed via the phone?

To disable link previews, please select the setting on your linked phone.

EvanHahn-Signal commented 3 years ago

@jasikpark That's a good idea. I'll speak with our designers about this.


To reiterate @scottnonnenberg-signal's earlier comment, link previews are only generated by the sender's device. The receiver will not make requests to the server when they receive the message or show the preview.

For example, Alice sends a message to Bob that includes "https://example.com", and Alice has link previews enabled. Alice's device will generate the link preview by making a request to example.com. Bob's device will make no requests to example.com.

You can read more about this on Ars Technica as compared to other messaging apps.

If this is still a concern for you, you can disable link previews on your primary mobile device. If Signal Desktop is not making requests over Tor, that's a separate issue (please open one if you're seeing problems!).

Thanks for flagging this kind of thing, even if it is a false positive. We want to continue to keep Signal rock solid, and we'd rather have reports like this than nobody reporting issues.

Because this is a duplicate of #3854 and not the security issue originally described, I'm going to close.